Arch Linux Security Advisory ASA-202101-19 ========================================== Severity: High Date : 2021-01-12 CVE-ID : CVE-2021-1052 CVE-2021-1053 CVE-2021-1056 Package : nvidia-utils Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-1417 Summary ======= The package nvidia-utils before version 460.32.03-1 is vulnerable to multiple issues including privilege escalation, denial of service and information disclosure. Resolution ========== Upgrade to 460.32.03-1. # pacman -Syu "nvidia-utils>=460.32.03-1" The problems have been fixed upstream in version 460.32.03. Workaround ========== None. Description =========== - CVE-2021-1052 (privilege escalation) The NVIDIA GPU Display Driver, all versions of the R460 and R450 driver branches, contains a vulnerability in the kernel mode layer (nvidia.ko) handler for DxgkDdiEscape or IOCTL in which user-mode clients can access legacy privileged APIs, which may lead to denial of service, escalation of privileges, and information disclosure. This issue is fixed in versions 460.32.03 and 450.102.04. - CVE-2021-1053 (denial of service) The NVIDIA GPU Display Driver, all versions of the R460 and R450 driver branches, contains a vulnerability in the kernel mode layer (nvidia.ko) handler for DxgkDdiEscape or IOCTL in which improper validation of a user pointer may lead to denial of service. This issue is fixed in versions 460.32.03 and 450.102.04. - CVE-2021-1056 (information disclosure) The NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure. This issue is fixed in versions 460.32.03, 450.102.04 and 390.141. Impact ====== A local user might crash the service, escalate privileges or disclose sensitive information. References ========== https://nvidia.custhelp.com/app/answers/detail/a_id/5142 https://security.archlinux.org/CVE-2021-1052 https://security.archlinux.org/CVE-2021-1053 https://security.archlinux.org/CVE-2021-1056